fix: restore actions/setup after external root checkout in agent job (#23751)

* Initial plan

* fix: add restore actions folder step to agent job when external root checkout exists

In dev mode, when a workflow's checkout config includes an external repository
that checks out to the workspace root (no path specified), actions/checkout
replaces the workspace content with that repo's files. This removes the
actions/setup directory, causing the Setup Scripts post-step to fail with:
  'Can't find action.yml under .../actions/setup'

Fixes the 'Smoke Create Cross-Repo PR' and 'Smoke Update Cross-Repo PR'
schedule failures (#23447, #23193).

Changes:
- Add HasExternalRootCheckout() to CheckoutManager (checkout_manager.go)
- Add restore step in generateMainJobSteps when dev mode + external root checkout
  (compiler_yaml_main_job.go)
- Recompile all 178 workflow lock files
- Add unit tests for HasExternalRootCheckout and the new restore step behavior

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/310824d2-632b-4cb1-816c-f631047328f8

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* refine: add clarifying comment about dot-path normalization in HasExternalRootCheckout

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/310824d2-632b-4cb1-816c-f631047328f8

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

.github/workflows/smoke-create-cross-repo-pr.lock.yml

@@ -285,6 +285,24 @@ func (cm *CheckoutManager) HasAppAuth() bool {
 	return false
 }
 
+// HasExternalRootCheckout returns true if any checkout entry targets an external
+// repository (non-empty repository field) and writes to the workspace root (empty path).
+// When such a checkout exists, the workspace root is replaced with the external
+// repository content, which removes any locally-checked-out actions/setup directory.
+// In dev mode, a "Restore actions folder" step must be added after such checkouts so
+// the runner's post-step for the Setup Scripts action can find action.yml.
+//
+// Note: the "." path is normalized to "" in add(), so both "" and "." are covered
+// by the entry.key.path == "" check.
+func (cm *CheckoutManager) HasExternalRootCheckout() bool {
+	for _, entry := range cm.ordered {
+		if entry.key.repository != "" && entry.key.path == "" {
+			return true
+		}
+	}
+	return false
+}
+
 // GenerateCheckoutAppTokenSteps generates GitHub App token minting steps for all
 // checkout entries that use app authentication. Each app-authenticated checkout
 // gets its own minting step with a unique step ID, so the minted token can be

.github/workflows/smoke-update-cross-repo-pr.lock.yml

@@ -987,3 +987,52 @@ func TestCrossRepoTargetRef(t *testing.T) {
 		assert.NotContains(t, combined, "ref:", "checkout step should not include ref field when empty")
 	})
 }
+
+// TestHasExternalRootCheckout verifies detection of external checkouts targeting the workspace root.
+func TestHasExternalRootCheckout(t *testing.T) {
+	t.Run("returns false for nil configs", func(t *testing.T) {
+		cm := NewCheckoutManager(nil)
+		assert.False(t, cm.HasExternalRootCheckout(), "should be false for nil configs")
+	})
+
+	t.Run("returns false for empty configs", func(t *testing.T) {
+		cm := NewCheckoutManager([]*CheckoutConfig{})
+		assert.False(t, cm.HasExternalRootCheckout(), "should be false for empty configs")
+	})
+
+	t.Run("returns false for default checkout only (no repository)", func(t *testing.T) {
+		cm := NewCheckoutManager([]*CheckoutConfig{
+			{GitHubToken: "${{ secrets.MY_PAT }}"},
+		})
+		assert.False(t, cm.HasExternalRootCheckout(), "should be false when only default checkout is configured")
+	})
+
+	t.Run("returns false for external checkout with non-root path", func(t *testing.T) {
+		cm := NewCheckoutManager([]*CheckoutConfig{
+			{Repository: "other/repo", Path: "libs/other"},
+		})
+		assert.False(t, cm.HasExternalRootCheckout(), "should be false when external repo uses a subdirectory path")
+	})
+
+	t.Run("returns true for external checkout without path (workspace root)", func(t *testing.T) {
+		cm := NewCheckoutManager([]*CheckoutConfig{
+			{Repository: "githubnext/gh-aw-side-repo", GitHubToken: "${{ secrets.SIDE_REPO_PAT }}"},
+		})
+		assert.True(t, cm.HasExternalRootCheckout(), "should be true when external repo checks out to workspace root")
+	})
+
+	t.Run("returns true for external checkout with explicit dot path", func(t *testing.T) {
+		cm := NewCheckoutManager([]*CheckoutConfig{
+			{Repository: "other/repo", Path: "."},
+		})
+		assert.True(t, cm.HasExternalRootCheckout(), "should be true when external repo uses '.' as path (workspace root)")
+	})
+
+	t.Run("returns true when one of multiple checkouts targets external root", func(t *testing.T) {
+		cm := NewCheckoutManager([]*CheckoutConfig{
+			{Repository: "other/repo", Path: "libs/other"},
+			{Repository: "githubnext/gh-aw-side-repo"},
+		})
+		assert.True(t, cm.HasExternalRootCheckout(), "should be true when any checkout targets external root")
+	})
+}

pkg/workflow/checkout_manager.go

@@ -543,6 +543,19 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat
 		}
 	}
 
+	// In dev mode the setup action is referenced via a local path (./actions/setup), so its files
+	// live in the workspace. When a checkout: entry targets an external repository without a path
+	// (e.g. "checkout: [{repository: owner/other-repo}]"), actions/checkout replaces the workspace
+	// root with the external repository content, removing the actions/setup directory.
+	// Without restoring it, the runner's post-step for Setup Scripts would fail with
+	// "Can't find 'action.yml', 'action.yaml' or 'Dockerfile' under .../actions/setup".
+	// We add a restore checkout step (if: always()) as the final step so the post-step
+	// can always find action.yml and complete its /tmp/gh-aw cleanup.
+	if c.actionMode.IsDev() && checkoutMgr.HasExternalRootCheckout() {
+		yaml.WriteString(c.generateRestoreActionsSetupStep())
+		compilerYamlLog.Print("Added restore actions folder step to agent job (dev mode with external root checkout)")
+	}
+
 	// Validate step ordering - this is a compiler check to ensure security
 	if err := c.stepOrderTracker.ValidateStepOrdering(); err != nil {
 		// This is a compiler bug if validation fails

pkg/workflow/checkout_manager_test.go

@@ -818,3 +818,87 @@ func TestShouldAddCheckoutStepEdgeCases(t *testing.T) {
 		})
 	}
 }
+
+// TestGenerateMainJobStepsRestoreActionsFolder verifies that the "Restore actions folder" step
+// is added to the agent job in dev mode when an external repository checkout targets the
+// workspace root, and is NOT added when not in dev mode or when no such checkout exists.
+func TestGenerateMainJobStepsRestoreActionsFolder(t *testing.T) {
+	makeData := func(checkoutConfigs []*CheckoutConfig) *WorkflowData {
+		return &WorkflowData{
+			Name:            "Test Workflow",
+			AI:              "copilot",
+			MarkdownContent: "Test prompt",
+			EngineConfig:    &EngineConfig{ID: "copilot"},
+			ParsedTools:     &ToolsConfig{},
+			CheckoutConfigs: checkoutConfigs,
+		}
+	}
+
+	t.Run("restore step added in dev mode with external root checkout", func(t *testing.T) {
+		compiler := NewCompiler()
+		compiler.actionMode = ActionModeDev
+		compiler.stepOrderTracker = NewStepOrderTracker()
+
+		data := makeData([]*CheckoutConfig{
+			{Repository: "githubnext/gh-aw-side-repo", GitHubToken: "${{ secrets.SIDE_REPO_PAT }}"},
+		})
+
+		var yaml strings.Builder
+		err := compiler.generateMainJobSteps(&yaml, data)
+		require.NoError(t, err, "generateMainJobSteps should not error")
+
+		result := yaml.String()
+		assert.Contains(t, result, "Restore actions folder", "agent job should have restore step in dev mode with external root checkout")
+		assert.Contains(t, result, "repository: github/gh-aw", "restore step should checkout github/gh-aw")
+		assert.Contains(t, result, "actions/setup", "restore step should checkout actions/setup")
+	})
+
+	t.Run("restore step NOT added in dev mode with external subdirectory checkout only", func(t *testing.T) {
+		compiler := NewCompiler()
+		compiler.actionMode = ActionModeDev
+		compiler.stepOrderTracker = NewStepOrderTracker()
+
+		data := makeData([]*CheckoutConfig{
+			{Repository: "other/repo", Path: "libs/other"},
+		})
+
+		var yaml strings.Builder
+		err := compiler.generateMainJobSteps(&yaml, data)
+		require.NoError(t, err, "generateMainJobSteps should not error")
+
+		result := yaml.String()
+		assert.NotContains(t, result, "Restore actions folder", "agent job should NOT have restore step when external checkout uses a subdirectory")
+	})
+
+	t.Run("restore step NOT added in dev mode with no external checkouts", func(t *testing.T) {
+		compiler := NewCompiler()
+		compiler.actionMode = ActionModeDev
+		compiler.stepOrderTracker = NewStepOrderTracker()
+
+		data := makeData(nil)
+
+		var yaml strings.Builder
+		err := compiler.generateMainJobSteps(&yaml, data)
+		require.NoError(t, err, "generateMainJobSteps should not error")
+
+		result := yaml.String()
+		assert.NotContains(t, result, "Restore actions folder", "agent job should NOT have restore step when no external checkouts")
+	})
+
+	t.Run("restore step NOT added in action mode even with external root checkout", func(t *testing.T) {
+		compiler := NewCompiler()
+		compiler.actionMode = ActionModeAction
+		compiler.stepOrderTracker = NewStepOrderTracker()
+
+		data := makeData([]*CheckoutConfig{
+			{Repository: "githubnext/gh-aw-side-repo"},
+		})
+
+		var yaml strings.Builder
+		err := compiler.generateMainJobSteps(&yaml, data)
+		require.NoError(t, err, "generateMainJobSteps should not error")
+
+		result := yaml.String()
+		assert.NotContains(t, result, "Restore actions folder", "agent job should NOT have restore step in action mode")
+	})
+}